[fw-wiz] re: NAT for a simple network
From: Mike Hoskins (mike_at_adept.org)
To: email@example.com Date: Wed, 13 Aug 2003 18:32:42 -0700 (PDT)
Date: Tue, 12 Aug 2003 08:37:22 -0400
From: "Robert E. Martin" <firstname.lastname@example.org>
> I am setting up a simple network for a small office of 10 machines. The
> office users will only have internet access. There will be no mail
> server or web server (yet). Telco will provide DSL. I was thinking that
> a simple device like a DLINK DI804 or DFL80 would do the job for simple
> security and minimal overhead and provde for port forwarding for the
> future web server/mail server.
you may want to browse bugtraq or other archives and see which vendors
have had the most reported incidents, etc. you may also want to correlate
that with their average response time (if they respond at all). due to
the relatively complex nature of these devices (simple in theory, not in
practice), they are all prone to have some issues in their past or the
future. that's nothing against any one vendor, just a given in my book.
noting how vendors respond is often a good selection tool.
> I had thought that NAT at the gateway
> would be secure enough for a situation like this. With reading the post
> about Home Appliances, the default is "allow any out", "deny any in" for
> appliances like this. Does this mean this is "stateful packet
> inspection"? Are there any thoughts about this?
not just NAT... at a mininum, you'll want to setup (or verify) some basic
rules protecting the gateway device itself. many of the DoS and other
attacks against these devices stem from remote and/or local traffic being
allowed to the device itself. in general, you should verify packets are
not allowed to the device from the big bad Internet. you may also want to
only allow local access from select IP addresses or subnets.
as an example... D-link (and again, many devices have had issues, so i'm
not trying to target any one vendor...) has had some recent issues on
bugtraq. many of those issues could have been bypassed by simply
configuring a few rules on the devices during deployment. allowing
packets from random hosts to admin (80, 8000, 8080, etc.), SNMP, TFTP or
other ports is most certainly not a good idea.
-- From: "Spam Catcher" <email@example.com> To: firstname.lastname@example.org Do NOT send email to the address listed above or you will be added to a blacklist! _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards